A newly disclosed vulnerability, CVE-2025-46647, has been recognized within the openid-connect plugin of Apache APISIX, a broadly used open-source API gateway.
This flaw, rated as necessary, might enable attackers to realize unauthorized entry throughout totally different id issuers below particular misconfigurations.
The vulnerability was reported by JunXu Chen to the Apache APISIX growth mailing listing on July 2, 2025, and credited to safety researcher Tiernan Messmer.
| CVE ID | Product | Affected Variations | Mounted Model | Severity |
| CVE-2025-46647 | Apache APISIX | < 3.12.0 | 3.12.0 | Necessary |
Technical Particulars
The vulnerability arises from improper validation of the issuer when utilizing the openid-connect plugin in introspection mode.
Particularly, the plugin fails to adequately confirm the issuer from the introspection discovery URL, which will be exploited in sure multi-issuer environments.
This vulnerability solely impacts deployments that meet all of the next situations:
- The openid-connect plugin is enabled and configured in introspection mode.
- The authentication service related to the plugin helps a number of issuers.
- These issuers share the identical personal key and rely solely on the issuer worth for differentiation.
If these situations are met, an attacker with legitimate credentials for one issuer might doubtlessly use their token to entry assets protected by one other issuer, successfully bypassing cross-issuer boundaries.
The flaw is especially regarding for organizations utilizing a single id supplier throughout a number of logical domains, corresponding to in multi-tenant enterprise environments or federated cloud architectures.
In such instances, improper issuer validation might result in unauthorized entry to delicate assets, undermining the safety mannequin of the affected methods.
Affected Variations
| Software program | Affected Variations | Mounted Model |
| Apache APISIX | < 3.12.0 | 3.12.0 |
All customers working Apache APISIX variations prior to three.12.0 are strongly suggested to improve to model 3.12.0 or later.
The Apache APISIX crew has addressed the problem on this launch, making certain correct validation of the issuer within the openid-connect plugin.
Unique Webinar Alert: Harnessing Intel® Processor Improvements for Superior API Safety – Register for Free
